Skip to main content

Information risk and impacts to individuals following personal data breaches guidance for IG professionals

This guidance provides detailed information on the potential negative impacts or risks associated with the breach of certain types of information and actions that may need to be taken

Page contents

This guidance provides information on the main considerations and potential risks involved with the breach of certain information, as well as actions you may be able to take to reduce risk. For larger organisations, some of these actions are likely to require the involvement of colleagues from other areas such as information technology (IT), cyber security, emergency preparedness, resilience and response (EPRR), business continuity and your senior management team, as well as suppliers of affected systems.

Personal data breaches
Personal data breaches

For advice on what to do if there is a personal data breach including how to report and decide on the severity of the breach see our guidance on personal data breaches.

Cyber security
Cyber security

For NHS organisations experiencing urgent cyber security issues that require immediate advice and guidance, call the NHS data security helpline on 0300 303 5222 (available 24 hours per day). Even if an incident is not expected to meet the Network and Information Systems (NIS) regulations incident thresholds or if it is unclear, seek support voluntarily from the NHS data security helpline as soon as practically possible so that the incident can be contained and further impacts mitigated. Where appropriate, NHS Cyber Operations will work with the National Cyber Security Centre to manage and resolve incidents.

Adult social care organisations
Adult social care organisations

For adult social care organisations, follow the data breach guidance available as part of Better Security, Better Care. If you require technical assistance, report this to the National Cyber Security Centre.

Risk factors

The expandable fields below describe risks associated with the breach of certain types of information. Whether these risks apply may depend on a number of factors. These should be considered when assessing whether a risk described below is relevant, and the level of the risk.

Who has accessed the information and what are their intentions?

The identity of the party who have accessed the data and their intentions for accessing the data will impact the level of risk. For example:

  • if a member of staff emailed information to the wrong colleague, and the recipient colleague immediately deleted the email, the risk to any individuals would reduce as a result
  • if a member of staff intentionally accesses information about a person in order to contact them for personal reasons, the risk of negative consequence materialising may increase
  • if the access to the information was by a malicious third party intending to publish the information online, the risk of a negative consequence materialising may increase
  • if the information has been published somewhere where it can be accessed more widely, for example on the dark web, then the risks of further access by third parties and negative impact may greatly increase

Is the access ongoing, or have copies been taken?

You may need to consult with technical experts or teams to determine whether access is ongoing or not (for example, whether exfiltration is continuing). Whether the party who has accessed the data continue to have access to the information will impact the possibility of negative outcomes. For example:

  • if the access or disclosure was a one-off and the party who has accessed the data (such as a malicious third party or a member of staff) no longer has access and was not able to take copies, they are unlikely to be able to use this information further therefore the risk may reduce
  • if the third party continue to have access to or a copy of the information, depending on the information, the risk may increase

Is the source of the information known?

The source of the information may reveal information about the data subject that is not explicitly contained in the breached data sets, and this would need to be considered in the risk assessment. For example:

  • if the data breached only contains a name and an address, this may be assessed as low risk - however, if the source of the data is known to be a fertility clinic for example, then there may be a greater risk to the individual if the breach discloses their engagement with this setting

Who is the information about?

Are there any special circumstances about the individual who the data relates to which may increase or reduce the risk. For example:

  • in the case of a child who has been removed from their parents, the breach of an address may present significantly greater risk of harm than in other cases
  • in the case of a vulnerable adult, they may be at higher risk of being susceptible to scamming and fraud than an adult who is not considered vulnerable
  • in the case of a high-profile individual, breached information may attract more attention and have a higher chance of causing reputational damage or distress

How sensitive is the information?

The information itself may be particularly sensitive in light of its nature. For example:

  • not all clinical information carries the same level of sensitivity - information relating to fertility treatments or sexually transmitted diseases are typically more sensitive than a routine blood pressure test or a COVID test result
  • for adult social care, you may hold additional information about a person receiving care which is particularly sensitive, such as bank account details or access codes to their home

Risks and mitigations by dataset

This section provides further information on the risks associated with the loss or alteration of particular data sets. The mitigations listed here are specific to the immediate reduction of risk to the individual. Depending on the size and structure of your organisation, these may need to be undertaken by different departments within an organisation. Whether or not these risks apply may be subject to the risk factors above. For further information on assessing risks and the severity of a breach, see our guidance on personal data breaches.

These lists are not exhaustive particulars of a breach can present a variety of different risks. It is important that each breach is assessed on a case by case basis.

Universal identifiers such as name and date of birth

Associated risks

The breach of one identifier alone does not typically present significant risk, because there may be multiple people with that same identifier - for example, the same name or date of birth.

When released together, these identifiers serve to make breached information identifiable, which inherently increases the potential risk.

The risk to individuals becomes much greater when these identifiers are released alongside other datasets.

If key identifiers are lost or altered on an individual's record this may impede the services ability to locate records and confirm the identity of the individual when they are engaging with the service.

Mitigating actions

Immediate action should be taken to attempt to contain the risk. This may include, securing or retrieving information, as well as removing access from the party who accessed the information. If successful, this should greatly reduce risk.

If the information has been lost or altered, you may need to consider undertaking an exercise to restore or amend inaccurate information. This may include technical solutions or contacting individuals to confirm their details.

Where the breach includes other information, see relevant section for suggested mitigations.

Contact information such as address, phone numbers or email address

Associated risks

Individuals may be targeted by phishing scams (by phone call, text, email or post).

Disclosure of contact information to the wrong person may cause significant distress to the data subject and possibly a risk of physical or mental harm if there are safeguarding considerations. (See Risk Factors: who is the information about)

If contact information such as name and address are altered or lost it may impede the service’s ability to contact the individual.

If information is altered, there is a risk that services may send correspondence to the incorrect address causing a disclosure breach.

Mitigating actions

Immediate action should be taken to attempt to contain the risk. This may include, securing or retrieving information, as well as removing access from the party who accessed the information. If successful, this should greatly reduce risk.

If there is high risk to the individual, you will be required to notify them of the breach so that they can take action to protect themselves.

If there is a high risk and the individual whose information has been breached does not have competency or has authorised someone else to act on their behalf (such as a carer, parent or guardian) it may be appropriate to notify these people so that they can support the individual and take action to protect them.

If the information has been lost or altered, you may need to consider undertaking an exercise to restore or amend inaccurate information. This may include technical solutions or contacting individuals to confirm their details.

Where contact information is known or suspected to have been made inaccurate, sending communication such as emails, letters or texts should be halted until details can be confirmed, alternative communication methods may need to be explored so that there is not an impact on care and you are not prevented from notifying individuals of the breach if necessary.

Identification documents such as passports or driving licence

Associated risks

Breach of identity documents may leave individuals vulnerable to identity theft or fraud.

Identification documents may be used to open bank accounts or to apply for credit cards, which could impact individuals' finances and credit scores (see data set: financial data).

Depending on your purpose for holding this information, loss or alteration of this information may prevent you from conducting certain functions.

Mitigating actions

Immediate action should be taken to attempt to contain the risk. This may include, securing or retrieving information, as well as removing access from the party who accessed the information. If successful, this should greatly reduce risk.

If there is high risk to the individual, you will be required to notify them of the breach so that they can take action to protect themselves.

If there is a high risk and the individual whose information has been breached does not have competency or has authorised someone else to act on their behalf (such as a carer, parent or guardian) it may be appropriate to notify these people so that they can support the individual and take action to protect them.

If notifying individuals, they should be advised to increase vigilance to fraudulent activity and report breached identification documents to the relevant organisation.

Health and care records including health data and other special categories of information under UK GDPR

Associated risks

Special category data are types of information which are typically more sensitive and are afforded greater protections under data protection laws. Health and care records may contain any of the following special categories of information:

  • health data
  • data about a person's racial or ethnic origin
  • data about a person's religious or philosophical beliefs
  • genetic data
  • biometric data
  • data about a person’s sex life
  • data about a person’s sexual orientation

A breach of this information can have wide ranging implications for individuals, for example:

  • they may face reputational damage, discrimination or harassment based on information shared from their health record
  • they may be targeted by ‘bad actors’ who identify vulnerabilities from their health record and target them with scams, blackmail or other crime

There is a significant risk of distress to the individual connected to the release of special category information which may be considered highly sensitive depending on its nature and the circumstances of the individual (see Risk Factors: who is the information about? and Risk Factors: how sensitive is the information).

The release of special category information may also result in a loss of confidence in the service and may therefore have clinical implications. For example, if an individual chooses not to receive treatment anymore because they do not trust the service to keep their information safe.

If a health and care record is lost or no longer considered to be accurate, there may be a risk to the ongoing care of the individual.

If the information breached does not include explicit health information, but still includes information from which health data could be inferred, risks are likely to apply as above. For example, health information could be inferred from the source of the data. For more information read the risk factors: Is the source of the information known section. 

Mitigating actions

Immediate action should be taken to attempt to contain the risk. This may include, securing or retrieving information, as well as removing access from the party who accessed the information. If successful, this should greatly reduce risk.

If there is high risk to the individual, you will be required to notify them of the breach so that they can take action to protect themselves.

If there is a high risk and the individual whose information has been breached does not have competency or has authorised someone else to act on their behalf (such as a carer, parent or guardian) it may be appropriate to notify these people so that they can support the individual and take action to protect them.

If notifying individuals, they should be advised of potential impact and offered or signposted to appropriate support.

If notifying individuals, they should be advised to increase vigilance to scams, blackmail or other crime and where to report these if they occur.

You should consider whether health or care professionals involved in the care of the individual should be informed so that they can support the individual and prevent any impact to care.

If the information has been lost or altered, you may need to consider undertaking an exercise to restore or amend inaccurate information. This may include technical solutions or working with health or care professionals to rebuild accurate records.

Any immediate potential impact to care (such as missed appointments or medications) should be assessed and arrangements made to limit this impact.

Safeguarding information such as reports, assessments or other documentation associated with the protection of individuals at risk

Associated risks

There is a significant risk of distress and triggering of trauma to the data subject connected to the release of information which relates to statutory safeguarding, neglect, harm, exploitation, abuse or violence, some of which they themselves may not be aware of or which they may have shared with the highest expectation of confidentiality. This may apply to victims, survivors and alleged or convicted perpetrators of abuse.

There may be a risk of serious physical or mental harm to the individual where the release of information about an abuse situation may lead to an escalation or to an abuser being able to locate a victim or survivor.

Individuals may be targeted by bad actors who identify vulnerabilities from safeguarding records.

The release of this information may result in a loss of confidence in the service and may therefore have an impact on the services ability to engage with, protect or provide services to the individual.

Information relating to an alleged or convicted perpetrator of abuse may equate to the release of criminal offence data (see data set: criminal offence information).

Mitigating actions

Immediate action should be taken to attempt to contain the risk. This may include, securing or retrieving information, as well as removing access from the party who accessed the information. If successful, this should greatly reduce risk.

If there is high risk to the individual, you will be required to notify them of the breach so that they can take action to protect themselves.

If there is a high risk and the individual whose information has been breached does not have competency or has authorised someone else to act on their behalf (such as a carer, parent or guardian) it may be appropriate to notify these people so that they can support the individual and take action to protect them.

If notifying individuals, they should be advised of potential impact and offered or signposted to appropriate support.

If notifying individuals, they should be advised to increase vigilance to scams, blackmail or other crime and where to report these if they occur.

You should consider whether professionals involved in the care of the individual should be informed so that they can support the individual and prevent any impact on care.

If the information has been lost or altered, you may need to consider undertaking an exercise to restore or amend inaccurate information. This may include technical solutions or working with professionals to rebuild accurate records.

Criminal offence information including allegations, offences and convictions

Associated risks

Data subjects whose criminal offence data is released may face reputational damage, harassment or unfair treatment based on information shared.

There is a significant risk of distress to the data subject connected to the release of criminal offence data.

Release of criminal offence data may impact an individual's relationships, employment and living arrangements.

Bad actors may target individuals with blackmail under threat of further release.

Mitigating actions

Immediate action should be taken to attempt to contain the risk. This may include, securing or retrieving information, as well as removing access from the party who accessed the information. If successful, this should greatly reduce risk.

If there is high risk to the individual, you will be required to notify them of the breach so that they can take action to protect themselves.

If there is a high risk and the individual whose information has been breached does not have competency or has authorised someone else to act on their behalf (such as a carer, parent or guardian) it may be appropriate to notify these people so that they can support the individual and take action to protect them.

If notifying individuals, they should be advised of potential impact and offered or signposted to appropriate support.

If notifying individuals, they should be advised to increase vigilance to scams, blackmail or other crime and where to report these if they occur.

You should consider whether professionals involved in the care of the individual should be informed so that they can support the individual and prevent any impact on care.

If the information has been lost or altered, you may need to consider undertaking an exercise to restore or amend inaccurate information. This may include technical solutions or working with professionals to rebuild accurate records.

Financial information such as bank details, sort codes and account numbers

Associated risks

Disclosure of or access to sort codes, account numbers, long card numbers, card expiry dates and banking security codes may put the individual at immediate risk of fraud or financial crime.

The impact of fraud and financial crime may include:

  • a significant loss of income or savings
  • a deteriorated credit score
  • significant work clearing up loans or purchases
  • having to cancel credit or debit cards, close bank accounts and open new ones

Breaches may have further financial implications on the individual if, as a result of lost or incorrect banking information, they do not receive payments owed to them or are unable to access funds.

Mitigating actions

Immediate action should be taken to attempt to contain the risk. This may include, securing or retrieving information, as well as removing access from the party who accessed the information. If successful, this should greatly reduce risk.

If there is high risk to the individual, you will be required to notify them of the breach so that they can take action to protect themselves.

If there is a high risk and the individual whose information has been breached does not have competency or has authorised someone else to act on their behalf (such as a carer, parent or guardian) it may be appropriate to notify these people so that they can support the individual and take action to protect them.

If notifying individuals, they should be advised to increase vigilance to fraudulent activity and report breached finance information to their banks so that they can put additional safeguards in place and change security information where appropriate.

If the information has been lost or altered, you may need to consider undertaking an exercise to restore or amend inaccurate information. This may include technical solutions or contacting individuals to confirm their details.

If the payment details held by your organisation are known to be incorrect, you may choose to suspend payments to avoid these going to the wrong people.

If your ability to make payments to individuals is affected, you must consider how to avoid impact on the individual, such as organising for alternative payment methods as soon as possible.

Credentials for IT systems, apps or online accounts

Associated risks

Where credentials (such as usernames and passwords) for system accounts are breached there is an additional risk to the information held on, or accessible through, those accounts (see relevant data sets for risk associated with different types of information that may be stored in online accounts).

There is also a risk to other systems where credentials for one can be used to gain access to another, for example, a breach of email credentials is likely to allow bad actors to access multiple other systems or accounts registered with that email address by requesting password changes or contacting account administrators.

Similarly, if an individual has used the same password for multiple accounts, breach of the credentials of one may allow easy access to multiple others.

There is a risk to the friends, family, colleagues and other contacts of those with breached credentials, as the bad actor may impersonate the individual to gain access to other accounts or carry out spear phishing attacks.

There is a risk that the individual will not be able to access their accounts, impacting their personal business or employment.

Mitigating actions

If the system for which the credentials have been breached are controlled by your organisation, you may be able to secure data or limit impact by:

  • resetting credentials (forcing password changes)
  • limiting or blocking account access
  • remotely wiping accounts (if the information can be backed up elsewhere)
  • implementing multi-factor authentication (MFA)

If the account is independently managed (for example a personal email) the individual should be informed so that they can take measures to protect themselves and others. Measures they can take themselves may include:

  • changing their passwords to online accounts
  • contacting account administrators to help secure accounts
  • informing family and friends of the breach in case of scam contact from the account
  • increasing their vigilance to unauthorised activity on their accounts
  • reviewing what other information might be accessible through their accounts and taking appropriate action (for example if the online account held banking information, contacting their bank)
NHS logins/NHS app

Associated risks

The risk presented by unauthorised access to an individual's NHS app or login can differ significantly depending on the level of app integration with the GP health record – in each case of unauthorised access, the individual instance of the app and the features available to them would need to be considered.

Risks may include:

  • access to individuals' clinical information
  • access to identifiers and contact information
  • unauthorised individuals may be able to book appointments or order repeat prescriptions
  • access to correspondence between health care professionals and the individuals

Mitigating actions

Instances of suspected or confirmed unauthorised access to NHS app or login accounts should be reported to the National Service Desk (NSD) by calling 0300 303 5035 or by emailing [email protected]. To secure accounts, the NSD can:

  • disable logins
  • delete or cleanse accounts
  • block registration attempts
Access codes, building identification passes or other information which would allow access to restricted buildings/areas

Associated risks

A breach of codes or information which allows access to restricted buildings (including for example care homes, patient homes or offices) may pose a risk to the physical safety of those working or residing in those buildings.

There may be a risk that any information held in those locations could be inappropriately accessed.

Depending on the nature of the building, individuals or organisations may be at risk of theft or other crime.

These risks may be further stressed by vulnerability of individuals living in buildings that typically have access codes (such as care homes or private homes with visiting carers). See Risk Factors: Who is the information about?

Mitigating actions

If there is high risk to the individual, you will be required to notify them of the breach so that they can take action to protect themselves.

If there is a high risk and the individual whose information has been breached does not have competency or has authorised someone else to act on their behalf (such as a carer, parent or guardian) it may be appropriate to notify these people so that they can support the individual and take action to protect them.

If the buildings and codes/passes are managed by your organisation, you may be able to limit impact by:

  • changing building codes or re-issuing passes
  • informing employees or residents to increase vigilance to unauthorised entry to buildings and what action they should take if they suspect unauthorised entry
  • implementing temporary measures such as on-site security

If the codes are not managed by your organisation, the responsible organisation or individuals should be informed so that they can take measures to protect themselves and others. Measures they can take may include any of those detailed above.

Employment information including performance and sickness records, EDI data, references and salary

Associated risks

Employment records may contain special categories of information such as:

  • health data (including sickness records and information collected for the purpose of reasonable adjustments)
  • data about a person's racial or ethnic origin
  • data about a person's religious or philosophical beliefs
  • data about a person’s sexual orientation

Where breached employment information relates to health, see data set: clinical information for further risks to consider.

An access or disclosure breach of this information can have wide ranging implications for individuals, for example:

  • they may face reputational damage, discrimination or harassment based on this information
  • they may be targeted by ‘bad actors’ who identify vulnerabilities from this information and target them with scams, blackmail or other crime

There is a significant risk of distress to the data subject connected to the release of special category information which may be considered highly sensitive depending on its nature and the circumstances of the individual (see Risk Factor: who is the information about? and Risk Factor: how sensitive is the information?).

The release of special category information may also result in a loss of confidence in the organisation and may damage employee/employer relations.

There is a risk of reputational damage and embarrassment to individuals when information relating to performance is released to colleagues.

If an employment record is lost or no longer considered to be accurate, there may be a risk to the ongoing management of the employee.

Employment data may also include confidential records about a person's wellbeing and personal circumstances and the release of this information may cause significant distress to an individual.

There is a risk of damaging trust with third parties where confidential references are released, as well as a risk of negative repercussions on the third party if the subject of the reference is unhappy with the content.

Salary information may be considered contentious and pose risks as above to the individual.

If the employment data includes bank details, see data set: financial information for further risks to consider.

Mitigating actions

Immediate action should be taken to attempt to contain the risk. This may include, securing or retrieving information, as well as removing access from the party who accessed the information. If successful, this should greatly reduce risk.

If there is high risk to the individual, you will be required to notify them of the breach so that they can take action to protect themselves.

You should consider whether individuals involved in the management of the individual should be informed so that they can support the individual and prevent any impact at work.

If notifying individuals, they should be advised of potential impact and offered or signposted to appropriate support.

If notifying individuals, they should be advised to increase vigilance to scams, blackmail or other crime and where to report these if they occur.

Where there is a risk to third parties it may also be appropriate to notify them.

If the information has been lost or altered, you may need to consider undertaking an exercise to restore or amend inaccurate information. This may include technical solutions or working with the individual or managers to rebuild accurate records.

Supplier records including contact details, contracts, invoices

Associated risks

There is a risk that suppliers may be targeted with phishing where their contact details are released in a breach.

There is a risk that suppliers may be targeted with other attacks such as cyber-attacks in an attempt to disrupt the service they provide.

The risk is increased if the bad actor knows an organisation’s relationship with the supplier, as this may allow them to impersonate the organisation to extract information, services or funds.

If invoices which include financial or banking information are included in a breach, see data set: financial information for further risks to consider.

Mitigating actions

Immediate action should be taken to attempt to contain the risk. This may include, securing or retrieving information, as well as removing access from the party who accessed the information. If successful, this should greatly reduce risk.

If there is likelihood of risk to the supplier, it may be appropriate to inform them of the breach and the risk so that they can take action to protect themselves.

You may need to implement temporary or permanent security measures for interactions with suppliers so that fraudulent contact attempts are not successful.

System or operational business documentation

Associated risks

Generally, health and care sector business information is low risk as in many cases it could be released to the public under a Freedom of Information request. Some information however is exempt and considered sensitive.

Certain operational documentation (such as those relating to IT security) may put an organisation at risk of a cyber incident or reputational damage if released.

Where the information is about an organisation’s structures and vulnerabilities it may be possible for bad actors to exploit these to cause further breaches.

Mitigating actions

Immediate action should be taken to attempt to contain the risk. This may include, securing or retrieving information, as well as removing access from the party who accessed the information. If successful, this should greatly reduce risk.

Where a release of information leaves you vulnerable to cyber-attack, immediate work should be undertaken to secure systems and remove vulnerabilities. This may include:

  • updating protocols
  • implementing network segregation
  • putting effective local firewalls in place
  • implementing patch management
  • undertaking vulnerability scanning
  • implementing an effective system of logging and monitoring access and changes
  • updating software
  • implementing point-to-point encryption
  • securing the domain administrator account with appropriate controls
  • ensuring that there are secure and tested back-ups in place
  • providing security training to staff
  • testing response and recovery plans

If any systems are managed by a supplier, you will need to work with the supplier to secure the system and remove any vulnerabilities in line with the above.

Where the release of sensitive business information presents a risk to the function or reputation of your organisation it may be appropriate to:

  • consult or update business continuity plans
  • seek support with external comms in the event of media interest
  • brief colleagues on managing enquiries around the breached information

For NHS organisations experiencing urgent cyber security issues that require immediate advice and guidance, call the NHS data security helpline on 0300 303 5222 (available 24 hours per day). Even if an incident is not expected to meet the Network and Information Systems (NIS) regulations incident thresholds or if it is unclear, seek support voluntarily from the NHS data security helpline as soon as practically possible so that the incident can be contained and further impacts mitigated. Where appropriate, NHS Cyber Operations will work with the National Cyber Security Centre to manage and resolve incidents.

Further guidance on data breaches

For further guidance on data breaches including reporting requirements, risk assessing and notifying patients/service users, see our personal data breach guidance.

For guidance specific to adult social care, see the Data Breach Guidance on the Digital Care Hub.

Guidance for patients and service users

Guidance for health and care professionals

Health and Care Information Governance Working Group

The portal exists to provide clear and consistent IG advice and guidance to patients and service users, health and care staff and IG professionals.  NHS England convenes a working group to check and challenge the guidance.

Last edited: 7 May 2026 4:47 pm